Cse counter overflow leads to write protection

RedOne · ‎03-25-2022

Hello

So I guess I found a bug or something

What I did is that I tried to write value of counter in function calculate_M1_to_M5 to 4294967295 which is max value of uint (because parameter counter is uint type) to see what happen at overflow. I write a key with this value and nothing bad happened, however, Next I should be passing 0 at counter, but keys already hit write protection. Now I can’t erase them. Is there any way to reset memory to erase all keys?

lukaszadrapa · ‎04-04-2022

If write protection is set, there's no way to recover. Even NXP factory can't unlock it.

Regards,

Lukas

在原帖中查看解决方案

lukaszadrapa · ‎03-29-2022

Hi Denis,

width of the counter is 28bits, not 32bits. The SHE specification talks about "saturating counter", so no overflow can happen. Do you mean that destroying of the partition using CMD_DBG_CHAL and CMD_DBG_AUTH is nor working? If you set counter 4294967295 (i.e. 32bits), is it possible that additional bits set write protection somehow?

Regards,

Lukas

RedOne · ‎03-29-2022

It looks like overflow did set write protection bit, and no, cmd_debug don’t do anything because keys are now write protected. Are there any other ways to set protection bit back to 0? Like hard reset of some sort?

lukaszadrapa · ‎03-29-2022

Setting of the write protection bit is irreversible operation, it's not possible to reset the device back to factory state. This requirement is given by SHE specification.

Regards,

Lukas

RedOne · ‎04-02-2022

So basically my device is now bricked in that regard? Even sending it to nxp wouldn’t help?

lukaszadrapa · ‎04-04-2022

If write protection is set, there's no way to recover. Even NXP factory can't unlock it.

Regards,

Lukas